public async Task <string> Encrypt(string data, string serviceAccountId, bool createKeyIfMissing = true) { var safeId = KeyIdCreator.Create(serviceAccountId); var keyring = new KeyRingName(mProjectName, mKeyringLocation, mKeyringName); var cryptoKeyName = new CryptoKeyName(mProjectName, mKeyringLocation, mKeyringName, safeId); try { await mKmsService.GetCryptoKeyAsync(cryptoKeyName); } catch (RpcException e) when(e.StatusCode == StatusCode.NotFound && createKeyIfMissing) { var key = new CryptoKey { Purpose = CryptoKey.Types.CryptoKeyPurpose.EncryptDecrypt, VersionTemplate = new CryptoKeyVersionTemplate { ProtectionLevel = ProtectionLevel.Software } }; if (mRotationPeriod.HasValue) { key.NextRotationTime = (DateTime.UtcNow + mRotationPeriod.Value).ToTimestamp(); key.RotationPeriod = Duration.FromTimeSpan(mRotationPeriod.Value); } var request = await mKmsService.CreateCryptoKeyAsync(keyring, safeId, key); } var cryptoKeyPathName = new CryptoKeyPathName(mProjectName, mKeyringLocation, mKeyringName, safeId); var encryted = await mKmsService.EncryptAsync(cryptoKeyPathName, ByteString.FromBase64(data)); return(encryted.Ciphertext.ToBase64()); }
public async Task <string> Encrypt(string data, string serviceAccountId, bool createKeyIfMissing = true) { var safeId = KeyIdCreator.Create(serviceAccountId); var cryptoKeys = mKmsService.Projects.Locations.KeyRings.CryptoKeys; var keyringId = $"projects/{mProjectName}/locations/{mKeyringLocation}/keyRings/{mKeyringName}"; var keyId = $"{keyringId}/cryptoKeys/{safeId}"; try { await cryptoKeys.Get(keyId).ExecuteAsync(); } catch (GoogleApiException e) when(e.HttpStatusCode == HttpStatusCode.NotFound && createKeyIfMissing) { //todo: handle key rotation - currently set to never expired var key = new CryptoKey { Purpose = "ENCRYPT_DECRYPT", VersionTemplate = new CryptoKeyVersionTemplate { ProtectionLevel = mProtectionLevel } }; var request = cryptoKeys.Create(key, keyringId); request.CryptoKeyId = safeId; await request.ExecuteAsync(); } var encryted = await cryptoKeys.Encrypt(new EncryptRequest { Plaintext = data }, keyId).ExecuteAsync(); return(encryted.Ciphertext); }
public async Task <string> Encrypt(string data, string serviceAccountId, bool createKeyIfMissing = true) { var masterKeyAlias = $"alias/{mCmkPrefix}kamus/{KeyIdCreator.Create(serviceAccountId)}"; var(dataKey, encryptedDataKey) = await GenerateEncryptionKey(masterKeyAlias); var(encryptedData, iv) = RijndaelUtils.Encrypt(dataKey.ToArray(), Encoding.UTF8.GetBytes(data)); return(EnvelopeEncryptionUtils.Wrap(encryptedDataKey, iv, encryptedData)); }
public async Task <string> Decrypt(string encryptedData, string serviceAccountId) { var safeId = KeyIdCreator.Create(serviceAccountId); var cryptoKeyName = new CryptoKeyName(mProjectName, mKeyringLocation, mKeyringName, safeId); var result = await mKmsService.DecryptAsync( cryptoKeyName, ByteString.FromBase64(encryptedData)); return(result.Plaintext.ToBase64()); }
public async Task <string> Encrypt(string data, string serviceAccountId, bool createKeyIfMissing = true) { var cmkPrefix = string.IsNullOrEmpty(mCmkPrefix) ? "" : $"{mCmkPrefix}-"; var masterKeyAlias = $"alias/{cmkPrefix}kamus/{KeyIdCreator.Create(serviceAccountId)}"; var(dataKey, encryptedDataKey) = await GenerateEncryptionKey(masterKeyAlias); mSymmetricKeyManagement.SetEncryptionKey(Convert.ToBase64String(dataKey.ToArray())); var encryptedData = await mSymmetricKeyManagement.Encrypt(data, serviceAccountId); return("env" + "$" + encryptedDataKey + "$" + encryptedData); }
public async Task <string> Decrypt(string encryptedData, string serviceAccountId) { var safeId = KeyIdCreator.Create(serviceAccountId); var cryptoKeys = mKmsService.Projects.Locations.KeyRings.CryptoKeys; var keyringId = $"projects/{mProjectName}/locations/{mKeyringLocation}/keyRings/{mKeyringName}"; var keyId = $"{keyringId}/cryptoKeys/{safeId}"; var result = await cryptoKeys.Decrypt(new DecryptRequest { Ciphertext = encryptedData }, keyId).ExecuteAsync(); return(result.Plaintext); }
public async Task <string> Decrypt(string encryptedData, string serviceAccountId) { var tuple = EnvelopeEncryptionUtils.Unwrap(encryptedData).ValueOrFailure("Invalid encrypted data format"); var(encryptedDataKey, iv, actualEncryptedData) = tuple; var masterKeyAlias = $"alias/{mCmkPrefix}kamus/{KeyIdCreator.Create(serviceAccountId)}"; var decryptionResult = await mAmazonKeyManagementService.DecryptAsync(new DecryptRequest { CiphertextBlob = new MemoryStream(Convert.FromBase64String(encryptedDataKey)), KeyId = masterKeyAlias }); var decrypted = RijndaelUtils.Decrypt(decryptionResult.Plaintext.ToArray(), iv, actualEncryptedData); return(Encoding.UTF8.GetString(decrypted)); }
public async Task <string> Decrypt(string encryptedData, string serviceAccountId) { var hash = KeyIdCreator.Create(serviceAccountId); var keyId = $"https://{mKeyVaultName}.vault.azure.net/keys/{hash}"; try { var encryptionResult = await mKeyVaultClient.DecryptAsync(keyId, "RSA-OAEP", Convert.FromBase64String(encryptedData)); return(Encoding.UTF8.GetString(encryptionResult.Result)); } catch (KeyVaultErrorException e) { throw new DecryptionFailureException("KeyVault decryption failed", e); } }
public async Task <string> Encrypt(string data, string serviceAccountId, bool createKeyIfMissing = true) { var hash = KeyIdCreator.Create(serviceAccountId); var keyId = $"https://{mKeyVaultName}.vault.azure.net/keys/{hash}"; try { await mKeyVaultClient.GetKeyAsync(keyId); } catch (KeyVaultErrorException e) when(e.Response.StatusCode == HttpStatusCode.NotFound && createKeyIfMissing) { mLogger.Information( "KeyVault key was not found for service account id {serviceAccount}, creating new one.", serviceAccountId); await mKeyVaultClient.CreateKeyAsync($"https://{mKeyVaultName}.vault.azure.net", hash, mKeyType, mKeyLength); } var encryptionResult = await mKeyVaultClient.EncryptAsync(keyId, "RSA-OAEP", Encoding.UTF8.GetBytes(data)); return(Convert.ToBase64String(encryptionResult.Result)); }